Slashdot Mirror
Examining an Automated Spam Tool
Saint Aardvark writes "SecurityFocus has published an excellent column detailing how spammers r00ted an Apache server, and used it to send spam. The tool they used is (I hate to admit it) pretty sophisticated: it has macro capabilities, picks up email addresses from and reports success or failure to the master server. It's a very frightening read...and so is this: Message Labs reports that they now intercept 27 spam emails per second, up from 2 per second this time last year. Virus-created proxies are mainly to blame."
yet another example spammers aren't just mom&pop operations. This is a big business, with big money backing it.
Something desperately needs to be done with SMTP to control this stuff....
after all, I am a female.
"But I can't get an ocean that's deep enough for my day..." ~The Frames, "Fitzcarraldo"
If only we could harness the power of these cool (and working!) distributed systems to provide efficient peer to peer content distribution or an actual legitimate email system of some sort...
If they're good, and are producing sophisticated tools and methods for spamming, then it's imperative that it is admitted, so people will understand the true nature of the problem and what anti-spammers are up against.
One of the most fatal mistakes you can make in any conflict is to underestimate your opponent.
It's official. Most of you are morons.
I totally agree. While I really hate the spammers I think I might hate the people that actually buy stuff from spam a little bit more.
If you think about it, there are some really intelligent spammers (even though they are disgusting scum of the earth). They're always one step ahead of us and are figuring out new ways to spam us.
On the other hand, the people who buy stuff from spam are just plain morons. period.
My sig can beat up your sig.
It is illegal, but then again, many of the products and services the spammers are pimping are also illegal. The legality (or not) has very little to do with it.
My next sig will be ready soon, but subscribers can beat the rush
Of course it is illegal. The problem is catching those that do it. The actual spam marketers will be hard to prosecute for it just because they use services of other "businesses" for delivering their marketing material. And actually getting these "other businesses" to court might be rather hard if they operate in some 3rd World pirate heaven, have no public office, and all business transactions are handled electronically, and are purposefully hidden or obfuscated.
People who buy pump&dump-spamvertised stocks lose their money.
People who buy bogus-prescription opiate painkillers go to sleep all the time and lose their nationwide radio shows.
People who buy penis enlarger pills have their dicks fall off. The problem is that they're usually older men who have already made their contributions to the gene pool, so Darwin doesn't get them in the end.
The problem, of course, is that all of these bad things happen to the customers after they've given the spammers their money, so it doesn't stop the spammers, and if they're dumb enough to believe that the spammers' products will work, they're too dumb to believe the Absolutely True Results By Top Scientists which say that their dicks will fall off if they buy fake vi1@gruh, even if we get the supermarket tabloids to keep printing headlines about it.
yes it's definitely profitable, this is part of the problem, a major part of it!
even with all the crap that people are doing, new SMPT clients, new RFCs and bullshit, it's not going to work!
why? because spammers pay their ISPs tens of thousands of $ a month just for the privilege of spamming!
I remember an old story months (or years) ago about a spammer, got tracked down, the whole nine yards, the ISP refused to cut them off because they were paying the ISP over $50,000 a MONTH to send spam. These days they pay even more.
So all your "checks and balances" don't do any good, because the spammers are VALID users (at least in the eyes of the ISP hosting them).
And this is also why no one does egress filtering. AT&T US, etc won't do it because they get PAID to keep sending the stuff...
face it, spam is BIG business, it makes millions, esp for the ISPs, etc.
all your useless "valid" client checks, checksums, special SMTP servers, blah blah blah won't make a damn of difference.
the only way is with either good (huge) blacklists or bayesian all over the place.
and what someone said about "end users" not caring about bandwidth usage, not true. I'm an end-user, and I care, excess bandwidth costs me money dammit! I am my own mail server, so don't tell me a firewall on my server is gonna slow down the traffic. it doesn't.
I keep to my original proposal, a massive blacklist. headache? yes, but it'd work if kept updated...
Comment removed based on user account deletion
It looks like a pretty standard challenge-response thing. While I suppose that those could be faked to verify emails on a spamlist, it's more likely that one of those viruses that emails with random from addresses sent mail to someone using a challenge-response system with inadequate spam controls being applied before the challenge stage.
It was a pretty good article, but he leaves off one glaring fact. If he had kept his software up to date, this would never have happened. BugTraq says August 2002 when this was identified.
This is a test. This is a test of the emergency sig system. This has been only a test.
it should be noted that this wasn't apache that was rooted. it was a poorly written PHP app, using an injection technique.
http://kered.org
Who exactly is funding all this spam? Is there one major media conglomerate behind it, like Viacom? That would be totally wild.
stuff |
I have 2 questions that I have always wondered:
1. Most spam mails are selling something physical and are actual companies; why can't they therefore be tracked down and slapped with lawsuits easily?
2. Why doesn't user education work? Maybe a mass education campaign towards users will make the spammers give up - I agree there will always be the odd idiot, but if 99% of users are educated, just like most kids know not to talk to strangers, there will eventually be a decline in such?
On a simple level, consider this - in order to migrate from the SMTP protocol to "something better", we would either have to (a) have the entire world convert simultaneously to the new standard or (b) allow backward compatibility with SMTP. (a) seems highly unlikely, and (b) means that you don't solve the problem. And before you point out that in the case of (b) we'd only need a limited transition time before we'd all be on the new protocol, I'd offer the example of IPv6. How many years has IPv6 been in the works? How many million man-hours of committee time has it already been through? How close are we all to deploying IPv6?
My next sig will be ready soon, but subscribers can beat the rush
1) make money (or is spamming that easy?) :-)
2) get my rc control car that gives me a reduced mortgage, life insurance and 'elongates' my love life
More seriously, the education needs to be for the people who buy off these people. If people stop using the 'services' then the spammers will move onto some other way of making money.
I've gotten a few of those and always attributed it to a legitimate TMDA triggered by the newer breeds of email viruses that set the from: to be someone else from the addressbook (ie, me).
Let's first of all say I am no fan of spam. In fact, I hate it. All spammers - and virus writers - should be strung up and subjected to some real virii.
However, some of these statistics are possibly obscuring reality. For example, let's take Messagelabs anti-spam service. Until recently, all emails from WorldPay - receipts, etc. - were marked as spam. All the traffic on an email discussion list that I have signed up for are marked as spam. Some commercial email notification lists that I have signed up for (ie. Maplin offers) are marked as spam.
But none of those emails *are* spam. Admittedly, some spam emails do get through without being flagged. So maybe it's a bit 'swings and roundabouts'. And regardless, the situation is pretty depressing anyway.
One thing I have been thinking about - and just wondering whether it should be entered as an Ask Slashdot item - are some of the 'cures' as bad as the problem itself?
I work on biology / medicine journals websites, and we offer a number of automatic notification and general update services. Note that these are *not* spam - they are requested by individuals by signing up on the website - and instructions are given in every email in how to remove yourself from the list. And they are a very valuable service to many people that do choose to receive them. Yet it only takes 1 person to not bother to read or follow the removal instructions, or otherwise hit some other temporary (accidental) issue that holds up their removal, and then submit it to a blacklist service to bugger things up for many other people.
So where is the regulation on the blacklist services? Where is the ability for *genuine* (provably genuine) companies to register their services in such a way that rather than getting blacklisted immediately, they have the opportunity to respond to the issue raised? Is this a small or large price to pay to partially stem the tide of actual spam?
Yup. Then my anti-spam system sends you an e-mail and you, the spammer collect my penny...
Or
"-1 Troll" is the apparently the same as "-1 I disagree with you."
How is this a stupid gap? How are variables dangerous? They are only dangerous when misused. All variables are by default dangerous! Call out the troops!
Do you understand the issue?
In summary, a default where the global variable namespace of your program is settable by any bozo with a web browser is a poor design. Sure, a good programmer will take steps to make sure he knows where his or her data is coming from, but a language shouldn't encourage such public exposure of fundamental things. (which is why the default changed, according to other posters here)
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
To do that ISPs need to allow SMTP authenticated users to send e-mail with any domain name attached.
I have to run my own e-mail server, because Comcast (my cable modem provider) doesn't allow me to send outgoing e-mails with my real e-mail address, its go to be @comcast.net or whatever their domain is.
If they block port 25, e-mail is effectively shut off for me as a usable technology on the Internet, and I'll be stuck either having to tunnel the e-mail to someone who doesn't have it blocked, or change ISPs.
I wonder how long before people start having to "strike back". This guy got as far as finding out the master server; just imagine, for a moment, what he could have found had he turned the table and rooted the master server. He probably would be able to trace back all the way to the culprit.
I'm not saying this should be done; I'm just saying this will be done, sooner or later, by someone who got fed up enough. And that will mean the end of the Internet as we know it, since the spammers will react violently to the strike back, turning the whole net into a gigantic game.
Not selfish. The word you want is stupid. Your attitude is equivalent to saying you don't care about massive water pollution because you've got a really good personal filtering system that can make a small amount of drinking water safe, so you don't care about pollution, say, killing crops.
The problem with spam is that it is threatening to overwhelm the basic infrastructure of the net.
That's all very nice until some free software zealots decide to send out millions of spams advertising Microsoft products. Bam! Law gone. You need to prove that they hired spammers to promote themselves. Not to mention, that a lot of these products are quasi-legal and many operators are overseas or in the gray market underground, beyond our jurisdiction or out of reach. Fighting on this front is exactly like the war on drugs, and we know how sucessful that has been.
The overwhelming amount of spam I get now involves the advertising (and presumably selling) of a controlled substance--a prescription drug that is deemed a narcotic. The prescribing of this drug (and a few others in the spams) by legitimate physicians, and its dispensing by legitimate pharmacies are strictly regulated in some kind of effort to prevent the abuse of the drug--an abuse that is rampant in many areas of the US.
I keep waiting to hear that the Federal authorities have taken some action in this regard. If you've ever been through US Customs (and especially if you're young, not white, or in any way "unusual" looking) you'll know that they make a great show of looking through everybody's sneakers and dirty laundry on the hunt for "illegal drugs." Even in these times of terrorism, it's their chief claim to fame.
The potential for abuse seems enormous and growing to me. It also seems to me that a lot of the spams advertising this stuff originate in, or pass through, the U.S. If somebody in our town hung out a sign saying GET YOUR PRESCRIPTION NARCOTICS HERE--NO PRESCRIPTION REQUIRED, my guess is the police would take an interest. But we seem to have virtual open-air drug markets operating undisturbed.
If anyone wonders how spammers make money, this is certainly one possible way, and I suspect it's incredibly lucrative.
DUCT TAPE: The Election Supervisors' Secret Weapon
For one, notifications being stored in memory means lost mail, or at least the need for every server in the world to periodically check and make sure you have received your notification. More notifications = more overall traffic = network flood from hell.
Second, it means that the sender's machine has to be online and accessible in order for me to read mail that was sent to me. The internet is a flaky thing. I'm almost guaranteed to be able to reach my local mail server. No such assurance exists for random joe remote mail server in Siberia.
This is particularly a problem in a corporate environment where people regularly get email messages from slow, distant servers. Imagine potentially taking a 30 second DNS timeout for every single email you open, and I'm sure you see the potential problem.
That solution is taking a step towards the right solution, however, which is to ensure that the sender's location cannot be forged. This is easily accomplished through proper signing of messages (with a properly certified key) at the server level without any need to modify the SMTP protocol itself. While such a scheme requires buy-in, it neither breaks backwards compatibility (though it does make it intentionally painful for people who don't upgrade their mail servers by requiring per-message verification) nor breaks the fundamental usability of email.
Just my $0.02.
Check out my sci-fi/humor trilogy at PatriotsBooks.